“We are not as strong as we think we are” 


• Rich Mullins 







































<GHz or bust! 


leveraging the power of the 
chipcon 1111 
(and RFCAT) 



0x0001 — workshop plan - ejercicios 


• lessons to teach: 

- play around with mods/baud/etc... 

- using the dongle to tune in and listen 

- using the dongle to determine, and transmit 

- playing with the dongle... it's just fun! 

• toys to play with: 

- Garage door opener 

- Keyless entry fob 

- Power Meter 

- Glucometer 

- IMME 1 

- IMME 2/dongle 



0x0002 — installing the client 


• once you have a ccl 111 dongle flashed with RfCat... 

• install client according the the README 

• blackhat release: 

- https://rfcat.googlecode.com/files/rfcat-blackhat2012.tgz 

- https://rfcat.googlecode.com/files/rfcatChronos-bh12.hex 

- https://rfcat.googlecode.com/files/rfcatDons-bh12.hex 



0x1000 — intro to <GHz 

• FCC Rules(title 47) parts 15 and 18 allocate and govern parts of the 
RF spectrum for unlicensed ISM in the US (US adaptation of the ITU- 
R 5.138, 5.150, and 5.280 rules) 

- Industrial - power grid stuff and more! 

- Science - microwave ovens? 

- Medical - insulin pumps and the like 

• US ISM bands: 

- 300:300 

- 433: 433.050-434.790 MHz 

- 915 : 902.000-928.000 MHz 

- ccl 111 does 300-348, 372-460, 779-928... but we've seen more. 

• Popular European ISM band: 

- 868 : 863.000 - 870.000 MHz 

• Other ISM includes 2.4 GHz and 5.8 GHz 

- cc2531.... hmmm... maybe another toy? 
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• RFCAT uses the CC11 lx on some common dongles 

Chronos dongle (sold with every Tl Chonos watch) 


rrr— “Don's Dongles”, aka Tl CC1111EMK 

? r r r s j ^ s i 

J- IMME (currently limited to sniffer/detection firmware) 


• but there are some catches 

- rf comms configuration? 

- channel hopping sequence? 

- bluetooth and DSSS? (not hap'nin) 






0x1030 — why do i care!? 


• the inner rf geek in all of us 

• your security research may require that you consider 
comms with a wireless device 

• your organization may have 900MHz devices that 
should be protected! 



0x2000 


intro to the ccllll core 


• for the devs in the house... 

- mcu 

- radio state engine 

- radio configuration 

- usb 

- timers 

- dma 



0x2010 — ccllll mcu 


• modified 8051 core 

- 8-bit mcu 

- single-tick instructions 

- 256 bytes of iram 

- 4kb of xram 

- XDATA includes all code, iram, xram 

- execution happens anywhere :) 

• register access to radio, dma, crypto, usb, timers, adc 

• registers are simply memory locations is the XDATA 
address space 



0x2020 — ccllll radio state engine 





0x2030 — ccllll radio configuration 


• configuring the radio is done through updating a set of 1- 
byte registers in varying bit-size fields 

- MDMCFG4 - MDMCFGO - modem control 

- PKTCTRL1, PKTCTRLO - packet control 

- FSCTRL1, FSCTRLO - frequency synth control 

- FREND1, FRENDO - front end control 

- FREQ2, FREQ1, FREQO - base frequency 

- MCSM1, MCSMO - radio state machine 

- SYNC1, SYNCO - SYNC word, or the SFD 

- CHANNR, ADDR - channel and address 

- AGCCTRL2, AGCCTRL1, AGCCTRLO - gain control 



0x2040 - Smart RF Studio (ftw) 


* 


CC1111 - Device Control Panel (offline) 

File Settings View Evaluation Board Help 


El Easy Mode JW Expert Mode | 



Data 

..fate: ,.1-2kBaud, 

Dev.: 5.1 kHz. 

.....Mod., 

GFSK. RX BW: €3 kHz, Optimized for s< 

snsitiyity. 



Data 

rate: 1.2 kBaud, 

Dev.: 5.1 kHz, 

Mod. 

GFSK, RX BW: 63 kHz, Optimized for current consumption 



Data 

rate: 2.4 kBaud, 

Dev.: 5.1 kHz, 

Mod. 

GFSK, RX BW: 63 kHz, Optimized for s€ 

snsitivity 



Data 

rate: 2.4 kBaud, 

Dev.: 5.1 kHz, 

Mod. 

GFSK, RX BW: 63 kHz, Optimized for current consumption 



Data 

rate: 38.4 kBaud, 

Dev.: 20 kHz, 

Mod. 

GFSK, RX BW: 94 kHz, Optimized for ser 

isitivity 



Data 

rate: 38.4 kBaud, 

Dev.: 20 kHz, 

Mod. 

GFSK, RX BW: 94 kHz, Optimized for current consumption 



Data 

rate: 250 kBaud, 

Dev.: 129 kHz, 

Mod. 

GFSK, RX BW: 600 kHz, Optimized for se 

snsitivity 



RF Parameters 
Base frequency 
[868.299683 | MHz 
Xtal frequency 
148.000000 _^J MHz 
Modulation format 


Channel number 

F“±l 




Channel spacing 
1199.951172 [ kHz 
RX filter BW 
162.500000 1 kHz 

TX power 

[o 3 dBm 


Carrier frequency 
1868.299683 | MHz 

I - Manchester enable 

I - RA ramping 


^onhnuou^)^^ontoTuou^xj Packet TX ^ackeHU^^^evic^ommand^ 

Packet payload size: | 30 [ W Add seq. number 

Packet count: [ 100 [ 1“ Infinite 

Random [4 7 de b3 12 4d c8 43 bb 8b a6 If 03 5a 7d 09 38 25 If 5d d4 cb fc 96 f5 45 3b 13 Od 89 0a 
C Text 
C Hex 



Sent packets: 
Frequency: 
Output power: 


um 


III CC1111 - Register View (offline) 

& X 



| Register 

Value (Hex) 

• 

► 

I0CFG2 

00 


► 

IOCFG1 

00 


► 

IOCFG0 

06 


► 

SYNC1 

D3 


► 

SYNC0 

91 


► 

PKTLEN 

FF 


► 

PKTCTRL1 

04 


► 

PKTCTRL0 

05 


► 

ADDR 

00 


► 

CHANNR 

00 


► 

FSCTRL1 

06 


► 

FSCTRL0 

00 


► 

FREQ2 

24 


► 

FREQ1 

2D 


► 

FREQ0 

DD 


► 

MDMCFG4 

E5 


► 

MDMCFG3 

A3 


► 

MDMCFG2 

13 


► 

MDMCFG1 

23 


► 

MDMCFG0 

11 

—* 

► 

DEVIATN 

16 


► 

MCSM2 

07 


► 

MCSM1 

30 


► 

MCSM0 

18 


1 ► 

FOCCFG 

17 


1 ► 

BSCFG 

6C 


1 ► 

AGCCTRL2 

03 


1 ► 

AGCCTRL1 

40 


1 

AGCCTRL0 

91 


1 * 

FREND1 

56 


n ► 

FREND0 

10 



FSCAL3 

E9 


111 

FSCAL2 


_ 






















































0x2050 — ccllll radio notes 


• Data Rate, Bandwidth, and Intermediate Frequency and Freq-Deviation 
depend on each other 

• put the radio in IDLE state before configuring 

• put the radio in IDLE state before configuring 

• put the radio in IDLE state before configuring 

• STROBE (SIDLE, STX, SRX, SCAL...) 

- then wait for the MARCSTATE == MARC STATE whatever 


CCA impacts entering TX state from RX 
- but not from IDLE state 



0x2060 — usb 


• usb is a world unto itself, with a massive standard and 
substandards 

- gg: usb-in-a-nutshell 

- gg: usb complete jan axelson 

• ccl 111 's usb controller is accessed using: 

- registers for config/control of usb 

- registers indicating usb events that occur 

- endpoint-specific FIFO buffers 

• messages go there before sending to host 

• messages arrive there from host 

- usb “descriptors” as necessary by spec 

• host uses these to query the device 

• our firmware provides all this and more 



0x2100 — RfCat for devs 


• ccl 111 usb.c provides usb descriptors and framework 

- shouldn't need much tinkering 

• ccl 111 rf.c provides the core of the radio firmware 

- shouldn't need much tinkering 

• application.c provides the template for new apps 

- copy it and make your amazing toy 

• txdata(buffer, length) to send data IN to host 

• registerCbEP50UT() to register a callback function to handle data 
OUT from host 

- data is in ep5iobuf[] 

• transmit(*buf, length) allows you to send on the RF pipeline 

• appMainLoop() - modify this for handling RF packets, etc... 

• follow the examples, luke! 

- RfCat's “application” source is appFHSSNIC.c 



0x3000 — radio info do want to know 


• frequencies 

• modulation (2FSK/GFSK, MSK, ASK/OOK, other) 

• intermediate frequency (IF) 

• baud rate 

• channel width/spacing/hopping? 

• bandwidth filter 

• sync words / bit-sync 

• variable length/fixed length packets 

• crc 

• data whitening? 

• any encoding (manchester, fee, enc, etc...) 




0x3010 — interesting frequencies 


• 315MHz - car fobs 

• 433MHz - medical devices, garage door openers 

• 868MHz - EU loves this range 

• 915MHz - NA stuff of all sorts (power meters, insulin 
pumps, industrial plant equipment, industrial backhaul) 

• 2.4GHz - 802.11/wifi, 802.15.4/zigbee/6lowpan, bluetooth 

• 5.8GHz - cordless phones 

• FREQ2, FREQ1, FREQ0 




0x3020 — modulations 

• 2FSK/GFSK - Frequency Shift Key 

- (digital FM) 

- cordless phones (DECT/CT2) 

• ASK/OOK - Amplitude Shift Key 

- (digital AM) 

- morse-code, car-remotes, etc... 



• MSK - Minimal Shift Key (a type of quadrature shift 


modulation like QPSK) 
- GSM 

• MDMCFG2, DEVIATN 












































































0x3030 — intermediate frequency 


• mix the RF and LO frequencies to create an IF (heterodyne) 

- improves signal selectivity 

- tune different frequencies to an IF that can be manipulated easily 

- cheaper/simpler components 

• ccl 111 supports a wide range of 31 different IF options: 


- 23437 hz apart, from 0 - 726.5 khz 
• Smart RF Studio recommends: 


- 140 khz up to 38.4 kbaud 

- 187.5 khz at 38.4 kbaud 

- 281 khz at 250 kbaud 

- 351,5khz at 500 kbaud 
• FSCTRL1 
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0x3040 — data rate (baud) 

• much like your modems or old 

• the frequency of bits 

- some can overlap and get garbage! 

• garbage can be good... 

• baud has significant impact on IF, Deviation and 
Channel BW 

• seeing use of 2400, 19200, 38400, 250000 

• MDMCFG3 / 4 





0x3050 — channel width / spacing 


• simplifying frequency hopping / channelized systems 

• real freq = base freq + (CHANNR * width) 











0x3060 — bandwidth filter 


• programmable receive filter 

• provides for flexible channel sizing/spacing 


• total signal bw = signal bandwidth + (2*variance) 






total signal bw wants to be less than 80% bw filter! 


MDMCFG4 











0x3070 — preamble / sync words 


• identify when real messages are being received! 

• starts out with a preamble (10 10 10 1 0...) 

• then a sync word (programmable bytes) 

- marking the end of the preamble 

- aka 'SFD' - start of frame delimiter 

• configurable to: 

- nothing (just dump received crap) 

- carrier detect (if the RSSI value indicates a message) 

- 15 or 16 bits of the SYNC WORD identified 

- 30 out of 32 bits of double-SYNC WORD 

• SYNC1, SYNC0, MDMCFG2 



0x3080 — variable / fixed-length packets 


• packets can be fixed length or variable length 

• variable length assumes first byte is the length byte 

• both modes use the PKTLEN register: 

- Fixed: the length 

- Variable: MAX length 

• PKTCTRLO, PKTLEN 



0x3090 — CRC — duh, but not 


• crc16 check on both TX and RX 

• uses the internal CRC (part of the RNG) seeded by Oxffff 

• DATA_ERROR flag triggers when CRC is enabled and fails 

• some systems do this in firmware instead 


• PKTCTRLO 



Legend: 

□ Inserted automatically in TX, 
processed and removed in RX. 

I I Optional user-provided fields processed in TX, 
'—' processed but not removed in RX. 

□ Unprocessed user data (apart from FEC 
and/or whitening) 



Figure 51: Packet Format 
















0x30a0 — data whitening — 9 bits of pain 


• ideal radio data looks like random data 

• real world data can contain long sequences of 0 or 1 

• data to be transmitted is first XOR'd with a 9-bit sequence 


- sequence repeated as many times as necessary to 































0x30b0 — encoding 

• manchester 

- MDMCFG2 

• forward error correction 

- convolutional 

• MDMCFG1 


ciock JUUUUUUUUUUL 






- reed-solomon (not supported) 
encryption - AES in chip 



ZfnS! 




















































0x30c0 


MDMCFG2 register 















sorry, couldn't resist 


|Big Idea #3; Secrecy Only in the Key J 


After thousands of years, we learned 
that it s a bad idea to assume that no 
one knows how your method works. 
Someone will eventually find that out. 


Tell me how it works! 

/ Great! Now T 

/ can decode 

/^everything! 


Ok... 

\ 



/ 


BAP 




Tell me how it works! 

No problem! Tt s 
on Wikipedia, but I 
I don't know the| 
key. 

.Jurats! 


\ 


B£TT£1 



















0x3100 — how can we figure it out!? 


• open / public documentation 

- insulin pump published frequency 

• open source implementation / source code 

• “public” but harder to find (google fail!) 

- fcc.gov - search for first part of FCC ID 

• -bookmark it 

- patents - amazing what people will patent! 

• 

• french patent describing the whole MAC/PHY of one meter 

• and another: 



0x3101 — how can we figure it out!? -part2 


• reversing hw 

- tapping bus lines - logic analyzer 

• grab config data 

• grab tx/rx data 

- pulling and analyzing firmware 

• hopping pattern analysis 

- arrays of dongles - space them out and record results 

- hedyattack, or something similar 

- spectrum analyzer 

- USRP2 or latest gadget from Michael Ossman 

• trial and error - rf parameters 

• MAC layer? - takes true reversing., unless you find a patent:) 



0x4000 — intro to FHSS 


9 3 5 11 1 15 4 13 7 10 16 2 14 ; 


Direct sequence waveform 


• FHSS is common for devices in the ISM bands 

- provides natural protection against unintentional 

jamming /interferance 

- US Title 47 CFR 15.247 affords special power 

considerations to FHSS devices 


• >25khz between channels 

• pseudorandom pattern 

• each channel used equally (avg) by each transmitter 

• if 20db of hopping channel < 250khz: 

- must have at least 50 channels 

- average <0.4sec per 20 seconds on one channel 

• if 20dB of hopping channel >250khz: 

- must have at least 25 channels 

- average <0.4sec per 10 seconds on one channel 






0x4010 — FHSS, the one and only - not! 


• different technologies: 

- DSSS - Direct Sequence Spread Spectrum 

• hops happen more often than bytes (ugh) 

• typically requires special PHY layer 

- “FHSS” 

• hops occur after a few symbols are transmitted 

• different topologies: (allow for different synch methods) 

- point-to-point (only two endpoints) 

- multiple access systems (couple different options) 

• each cell has their own hopping pattern 

• each node has own hopping pattern 

• different customers: 

- military has used frequency hopping since Hedy and George submitted the 

patent in 1941. 

- commercial folks (WiFi, Bluetooth, proprietary stuff like power meters) 



0x4020 — FHSS intricacies 


• what's so hard about FHSS? 

- must know or be able to come up with the hopping pattern 

• can be anywhere from 50 to a million distinct channel hops 

before the pattern repeats (or more) 

- must be able to synchronize with an existing cell or partner 

• or become your own master! 

- must know channel spacing 

- must know channel dwell time (time to sit on each channel) 

- likely need to reverse engineer your target 

- DSSS requires that you have special hardware 

• military application will be very hard to crack, as it typically will have hops 
based on a synchronized PRNG to select channels 



0x4030 — FHSS , the saving graces 

• any adhoc FHSS multi-node network: (power meters/sensor-nets) 

- node sync in a reasonable timeframe 

• limited channels in the repeated pattern 

- each node knows how to talk to a cell 

• let one figure it out, then tap the SPI bus to see what the 

pattern is... 

• two keys to determining hopping pattern: 

- hop pattern generation algorithm 

• often based on the CELL ID 

- one pattern gets you the whole cell:) 

• others generate a unique pattern per node 

- some sync information the cell gives away for free 

• gotta tell the nOObs how to sync up, right? 

• for single-pass repeating sequences, it's just the channel 



0x4040 — FHSS summary 


• FHSS comes in different forms for different uses and 
different users 

• FHSS is naturally tolerant to interference, and allows a 
device to transmit higher power than nonFHSS comms 

• getting the FHSS pattern, timing, and appropriate sync 
method for proprietary comms can be a reversing 
challenge 

• getting a NIC to do something with the knowledge gained 
above has - to date - been very difficult 



0x5000 — intro to RfCat 


• RfCat: RF Chipcon-based Attack Toolset 

• background... 

• goals... 

• plans... 

• where we're at so far... 



0x5010 — rfcat background 


• the power grid 

- power meters and the folks who love them (yo cutaway, 

q, travis and josh!) 

- no availability of good attack tools for RF 

• vendor at Distributech 2008: 

“Our Frequency Hopping Spread Spectrum is too fast 
for hackers to attack.” 

• OMFW! really? 



0x5020 — rfcat goals 


• RE tools - “how does this work?” 

• security analysis tools - “your FHSS and Crypto is weak!” 

• satiate my general love of RF 


• a little of Nevil Maskelyne 

• “I will not demonstrate to any man who throws doubt upon the 
system” - Guglielmo Marconi, 1903 

- lulwut? 



0x5030 — this is not HedyAttack 

• but leveraged the knowledge from HA... 

• ccl 111 usb is the base code which HedyAttack started 

- forms the USB base for RfCat 

• less "researchy" 

- this project won't find hopping patterns 

- it's goal is to provide you something to do with that infoz 

• “so, we determined this hopping pattern... now what?” 

• more utilitarian 

- give us comms parameters and a hopping pattern, and we'll 

be a NIC, sniffer, and interact with RF gadgets 

- some devices will require more customization than other 



0x5040 — rfcat's interface 


• rfcat is many things, but I like to think of it as an interactive 
python access to the <GHz spectrum! 

- <insert pic> 

• rfcat 

- FHSS-capable NIC 

• some assembly may be required for FHSS to arbitrary devices 

- toolset for discovering/interfacing with RF devices 

• rfcat_server 

- access the <GHz band over an IP network or locally and 

configure on the fly 

- connect to tcp port 1900 for raw data channel 

- connect also to tcp port 1899 for configuration 



0x5050 


rfcat 


• customizable NIC-access to the ISM bands 

• ipython for best enjoyment 

• lame spoiler: you get a global object called “d” to talk to the 

dongle 1 

'RfCat, the greatest thing since Frequency Hopping!' 

- d.RFxmit('blah') 

- data = d.RFrecv() 

- d.discover(lowball 

- d.RFIisten() 


ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.027489 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.011954 seconds* 
ABCDEFGHIJKLMHOPQRSTUVWXVZ' (0.012381 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.012189 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.012411 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.012139 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.012379 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.012392 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.011946 seconds* 
ABCDEFGHIJKLMIIOPQRSTUVWXYZ' (0.011591 seconds* 



g>^Don’t you wish this were a CLI !? Sorry. Maybe soon. 
For now, enjoy the raw power of rflib, or write your 

SglMcurrently your environment has an object called "d" 1 
^you interact with the rfcat dongle, for : 

»> d.pingO 

»> d.setFreq(433000000) 

1 \ »> d. setl,ldml.lodulation(M0D_ASK_00K) 

) >» d. makePktFLEII(250) 

' »> d.RFxmitC'HALLO") 

»> d.RFrecv() 

>>> print d.reprRadioConfig() 




0x5060 — rfcat server 


• bringing <GHz over the IP network! 

• connect on TCP port 1900 to access the wireless network 

• connect on TCP port 1899 to access the wireless configuration 

• created to allow non-python clients to play too 

- stdin is not always the way you want to interact with 
embedded wireless protocols 


atlas@blah:~$ nc -v localhost 1900 

Connection to localhost 1900 port [tcp/*] succeeded! 


atlas@blah:~$ nc -v localhost 1899 

Connection to localhost 1899 port [tcp/*] succeeded! 

welcome to the ccllllusb interactive config tool, hack fun! 
(Cmd) help 

Documented commands (type help <topic>): 


atlas@blah:rfcat 
Listening for NIC c 
■■ received DATA co 

— received CONFIG 


CARRIER_SENSE_ABS_THR 

CARRIE R_S E11S E_RE L_TH R 

DEM.DCFILT 

FS.AUTOCAL 

MAC_LNA_GAIN 

MAGH_TARGET 

MAX_DVGA_GAIN 

PA.POWER 

REGS_AGCCTRL 

REGS_BSCFG_F0CCFG 

REGS_FREIID 

REGS.FREQ 

REGS.FSCTRL 

REGSJICSM 

REGS.MDUCFG 

REGS.PATABLE 

REGS.TEST 


REG.DEVIATN 

REG.PKTCTRL 

REG_PKTLEN 

REG.PKTSTATUS 

RESET 

addr 

addr_chk 




chanspc 

datawhiten 

debug_codes 

download_config 


ping 

poke 

pqt 

printable 

rawinput 

show_config 



syncmode 

syncword 

upload_conf 


i on port 1900 
from 127.0.0.1:55 

an from 127.0.0.1: 









0x5070 — rfsniff (pink version too!) 



focused primarily on capturing data from the wireless network 
IMME used to provide a nice simple interface 
RF config adjustment using keyboard! 


01 / 25/2012 



0x5065 — rfsniff — key bindings 




q, a - inc/dec highest sync word nibble 

w, s - inc/dec high-middle sync word nibble 
e, d - inc/dec low-middle sync word nibble 

r, f - inc/dec lowest sync word nibble 
z - NO sync word matching 


menu - inc Modulation type 
bye! - dec Modulation type 


up - inc recv bandwidth 
down - dec recv bandwidth 


right - inc baud rate 
left - dec baudrate 


p, Enter - inc/dec frequency 
o, r ,' - faster inc/dec frequency 
i, m - even faster inc/dec frequency 
1 - set freq to 915mhz 

k - set freq to 868mhz 

j - set freq to 433mhz 

h - set freq to 315mhz 

t, v - inc/dec channels 
g - set channel = 0 


SPACE - switch screens 

SPKR - toggle CARRIER TX mode (good for showing up on a SpecAn, or, umm, jamming?] 


0x5080 — rfcat wicked coolness 


• d._debug = 1 - dump debug messages as things happen 

• d.debug() - print state infoz once a second 

• d.discover() - listen for specific SYNCWORDS 

• d.lowball() - disable most “filters” to see more packets 

• d.lowballRestore() - restore the config before calling lowball() 

• d.RFIisten() - simply dump data to screen 

• d.RFcapture() - dump data to screen, return list of packets 

• d.scan() - scan a configurable frequency range for “stuff’ 

• print d.reprRadioConfigO - print pretty config infoz 



0x5090 — lowball and discover 

• lowball mode stores current radio config 

»> d.lowball() # drops most blocks to pkts (CARRIER) 
»> d.lowballRestore() # returns original config 
»> d.lowball(O) # dumps all sorts of crap (SYNCM_NONE) 
»> d.lowball(1) # default... same as no argument 

• discover() uses lowball mode, adds value 

d.diSCOVer(lowball, debug, length, IdentSyncWord, SyncWordMatchList) 

»> d.discover() # enters lowball mode, dumps pkts 
»> d.discover(lowball=0) # dumps way more pkts 
»> d.discover(ldentSyncWord=True) 

»> d.discover(SyncWordMatchList=[Oxdead, Oxbeef]) 



0x5100 — example lab setup 


• example RF attack lab setup: 

- dongle “Gina” running hedyattack spec-an code 

- dongle “Paul” running rfcat 

- IMME running rfsniff 

- (possibly an IMME's running SpecAn) 

- saleae logic analyzer for hacking of the wired variety 

- FunCube Dongle and quisk/qthid or other SDR 



rf attack form 

• basefreq: 

• modulation: 

• baud/bandwidth: 

• deviation: 

• channel hopping? 

- how many channels: channel spacing: 

- pattern and effective sync method? dwell period (ms): 

• fixed-/variable-length packets: len/maxlen: 

• “address”: 

• sync word (if applicable): 

• crc16 (y/n): does chip do correct style? 

• fee (y/n): type (convolutional/reed-soloman/other): 

• manchester encoding (y/n): 

• data whitening? and 9bit pattern: 

• more complete information: 





0 x 6000 — playing with medical devices 

• CAUTION: MUCKING WITH THESE CAN KILL PEOPLE. 

- THIS FIRMWARE AND CLIENT NOT PROVIDED 

• found frequency in the pdf manual from the Internet 

- what random diabetic cares what frequency his pump 

communicates with!? ok, who cares! 

• modulation guessed based on spectrum analysis and trial/error 

- the wave form just looks like <blah> modulation! 

• other characteristics discovered using a USRP and baudline 
(and some custom tools, thanks Mike Ossman!) 



0 x 6010 — the discovery process 


glucometer was first captured using Spectrum Analyzer 
(IMME/hedyattack) to validate frequency range from the lay 
documentation 



• next a logic analyzer (saleae) used to tap debugging lines 

• next, the transmission was captured using a USRP (thank you 
Mike Ossman for sending me your spare!) 

• next, the “packet capture” was loaded into Baudline, and 
analysis performed to identify baudrate and modulation 
scheme, and get an idea of bits 

• next, Mike Ossman did amazing-sauce, runnin 
the capture through GnuRadio Companion 
(the big picture on next slide) 

• RF parameters confirmed through RF analysis 
and real-life capture. 




1, l! 

ill 

L in 

||| 

l|i | 

i 

0 x 6011 — discovery reloaded 

iWrf 

fPl 


fltj 


File Edit View Build Help 



i ex6 22 filter 22 xyloc-demo 22 xyloc-demod % xyloc-replay 22 exl £2 ex8 22 ex8b 22 ex8c 22 docsis-interferer 22 atlas-demode insulin-demod X ► 


:e Options: WX GUI 


File Source _ Throttle 

: ...asTinsulindip.cfile Dut]- 1 Power Squelch | Sample Rate: 

>eat: Yes Threshold (dB): -100 1 

- I— Alpha: 10m SH 


Signal Source 
Sample Rate: 500k 
Waveform: Cosine 
Frequency: -9 5k 

Multiply out]— i 

Amplitude: 1 

Offset: 0 



Variable 

ID: symbol_rate 
Value: 16.384k 





l 


| ► |gjjd Binary Slicer 

P □ 


LH| 


Correlate Ac 
HHA Access Code: 1< 


|a Relative Limit: 5r 


[ Sources ] 

[ Sinks ] 

[ Operators ] 

[ Type Conversions ] 

[ Stream Conversions ] 

[ Misc Conversions ] 

[ Synchronizers ] 

[ Level Controls ] 

[ Filters ] 

[ Modulators ] 

[ Error Correction ] 

[ Line Coding ] 

[ Vocoders ] 

[ Probes ] 

[ Variables ] 

[ Misc ] 

[ Digital ] 

Binary Slicer 
Clock Recovery MM 
CMA Equalizer 
Constellation Decoder 




























































































0x6020 


—the immaculate reception 


• punched in the RF parameters into a RFCAT dongle 

- created subclass of RFNIC (in python) for new RF config 


• dropped into “discover” mode to ensure I had the modem right 


It 1327713078.539) Received: d5555555555555555555555555555557f807f80S52d5a399686b38ad8e2c 

I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL'] 
l( 1327713078.553) Received: c0002aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabfc03fc02a96adlccb4359c5 
I possible Sync Dwords: ['OxaaffL 1 , 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', 'Ox2aaaL', 

1(1327713078.569) Received: lc59580002aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabfc03fc02a96adlccb4 
I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL'] 

I (1327713078.583) Received: b38ad8e2cac000155555555555555555555555555555555feOlfe0154b56 

I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL', 

I (1327713078.602) Received: e65alace2b638b2b0000555555555555555555555555555555557f807f80 

I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL', 

1(1327713078.614) Received: d2d5a399686b38ad8e2cac00015aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaff 
1(1327713078.629) Received: fc02a96adlccb4359c56c716560000aaaaaaaaaaaaaaaaaaa 
1(1327713078.643) Received: effOOff00aa5ab4732d0d6715blc59580002aaaa 
1(1327713078.658) Received: 

I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL 

I (1327713078.674) Received: aaaaaaaaaaaffOOff00aa5ab4732d0d6715blc59580002aaa 
I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', ‘0x2aaaL‘] 

1(1327713078.689) Received: aaaaaaaaaaaaaaaaffOOff00aa5ab4732d0d6715blc59580002aaaaaaaaa 

I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL‘, 'OxaaaL', '0x2aaL'I 

1(1327713078.704) Received: aaaaaaaaaaaaaaaaaaaaaffOOff00aa5ab4732d0d6715blc59580002aaaa 
I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL'] 

1(1327713078.719) Received: aaaaaaaaaaaaaaaaaaaaaaaaaaff00ff00aa5ab4732d0d6715blc5958000 
I possible Sync Dwords: ['OxaaffL', 'OxaabfL', 'OxaaafL', 'OxaaabL', 'OxaaaaL', '0x2aaaL', 


laaaaaaaaaaaa 


laaaaaaaaaaaa 
0x2aaaL', 


'OxaaaL', '0x2aaL'] 


'OxaaaL', '0x2aaL'l 


'OxaaaL', '0x2aaL'] 


• returned to normal NIC mode to receive real packets 

• now need the pump to reverse the bi-dir protocol 


('a a Sa b4732d Od 2f19a c S6558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c 56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c 56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
( 'a a 5a b4732d Od 2f19a c 56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('a a 5a b4732d Od 2f19a c 56558000' 
('a a 5a b4732d Od 2f19a c56558000' 
('aa5ab4732d0d2fl9ac56558000' 
('a a 5a b4732d Od 2f19a c 56558000' 








0 x 6100 — playing with a power meter 


• CAUTION: MUCKING WITH POWER SYSTEMS WITHOUT APPROPRIATE 
AUTHORIZATION IS ILLEGAL, EVEN IF IT IS ON THE SIDE OF YOUR HOUSE! 

• most power meters use their own proprietary “Neighborhood Area Network” 
(NAN), typically in the 900MHz range and sometimes 2.4GHz or licensed 
spectrum. 

• to get the best reception over distance and gain tolerance to interference, all 
implement FHSS to take advantage of the Title 47: Part 15 power 
allowances 



• many of the existing meters use the same ccl 111 or ccl 110 chips, or the 
ccllOI radio core 


• this is the reason I'm here today 



11^ 



0 x 6110 — as sands through the hourglass 


• power meter RF comms have long been “unavailable” for 
most security researchers 

• some vendors understand the benefits of security 
rigor by outside researchers 

- others, however, do not. 

• the gear used in my presentation was given to me by one 
who understands 

- for various reasons, they have asked to remain 

anonymous, however, their security team has a 
well founded approach to finding out “how their 
baby is ugly” I would like to give them credit for 
their commitment to the improved security of their 
products. 



atlas, tell us wha 

















0 x 6120 — smart meter — the complication 


• power meters are not so simple as glucometers 

- proprietary FHSS in a multiple-access topology 

- have to endure the RF abuse of the large metropolis 

• complex mac sync/net-registration 

• not easy to show with a single meter without a Master node. 

• initial analysis was performed via my saleae LA: 

• SpecAn code on IMME's and hedyattack dongles 

- good for identifying periods of scanning 

• although the dongle can hop along with the meter, we won't be 
demoing synching with the meter today 



0x6130 — the approach 

• determine the rf config and hopping pattern through SPI Bus sniffing 
(and my saleae again) 


Saleae Logic 1.1.15 - [Dis 


ed] - [12012302-it 


i-got_tx_hopping_data-16MHz.Logicdata] - [If 

























SET RF channel: 0 - 902250000 


STROBE 

WRITE 

SRES 

I0CFG2 

(BURST) 

01 

READ 


I0CFG2 

(BURST) 

01 

WRITE 


FSTEST 

(BURST) 

59 

READ 


FSTEST 

(BURST) 

59 

WRITE 


PATABLE 

(BURST) 

00 

READ 

STROBE 

SIDLE 

PATABLE 

(BURST) 

00 

STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

SIDLE 




STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

WRITE 

SRES 

I0CFG2 

(BURST) 

01 

READ 


I0CFG2 

(BURST) 

01 

WRITE 


FSTEST 

(BURST) 

59 

READ 


FSTEST 

(BURST) 

59 

WRITE 


PATABLE 

(BURST) 

00 

READ 

STROBE 

SIDLE 

PATABLE 

(BURST) 

00 

STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

SIDLE 




STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

SIDLE 




STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

SIDLE 




STROBE 

SCAL 




STROBE 

SFRX 




STROBE 

SRX 




STROBE 

SIDLE 




STROBE 

SCAL 









0x6140 — the approach (2) 


• discover mode: 


- disables sync-word so radio sends unaligned bits 

Entering Lowball mode and searching for appropriate SyncWord 

(1327552987,030) Received: fffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffeOOOOOOOOOOOOOOOOOOOOOO 
000000000000000001010000000000000000000000000000000000800000000000000000000000000000000000400000000000000000000000000000000001000000000000000000000000000000000 
0000100080000000000000000000000040000000207faaaaabe8657df88206568411adff9fcdffffcal090ff8ac000080009000460000200a0014113040000210b0405080019f6ffffffff 
possible Sync Dwords: I'0xfal9L', '0xbe86L\ 'OxafalL', '0xabe8L', 'OxaafaL', 'OxaabeL', 'OxaaafL', 'OxaaabL'] 

(1327553021,785) Received: ffffffffffffffffffffffffffffffffffffffffffffff5ffffffffffea000000000000000000400000000000000000020000000000000000400000000004000000 
000000000000000000000000000000000000000000004800002000100000000000800000000000000000000000000000000000000000000000000000800000200000004000000000000000000000000 
02800000000000000000000000000000000200020000000000000000000000001feaaaaafal95f7e208195al046b7fea72ffff91330b7d084010180000010300540140010203 
possible Sync Dwords: ['0xfal9L', '0xbe86L', 'OxafalL', '0xabe8L', 'OxaafaL', 'OxaabeL', 'OxaaafL', 'OxaaabL'] 

(1327553059,045) Received: 203000606000110108d02b5cl3a92bd5053dd3ec41eeel0fcc7bcf7bafdd8ddfd380000000000000000020000000002000000000040002000000200000000000000 

000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000001000000000000002001000002000000000004000000000000002000040000000 
000000000000000000000000CCCCCe“nfff^B8Bbefc41032b4208d6ffdee4ffff71ec6994124021185645290b0481e8402810800209012f0040020001cl6a7c7alf2a 
possible Sync Dwords: ['Oxfal9L', '0xbe86L', 'OxafalL', '0xabe8L', 'OxaafaL', 'OxaabeL', 'OxaaafL', 'OxaaabL'] 

(1327553095,899) Received. C*.f Me5bfb7cf9f37fdffdfdb6f7fb0000000000000000000000000000000000000000000000000000000008000200000000000000000000000000020000004008 
000000000000000000000000000000010002000000000000000000000000000000000000000000000800000000000010000000000000000000000000000000000000000000000000000000040000000 
000000000 0000000000010000000Q00Q0000000003feaaaaafal95f7e208195al046b7ff971ffffb975613dfda8008842c309c34676188c707205201210001c002000c04083e 

H ^M^Syn^^ord^^TOi^aigL'. 'OxbeSeL', 'OxafalL', 'Qxabe8L', 'OxaafaL', 'OxaabeL', 'OxaaafL', 'OxaaabL'] 

- algorithm looks for preamble (Oxaa or 0x55) 

- then determines possible dwords 

• ummm... but that's not any bit-derivation of the sync word(s) I 
expect, wut? I am confident those are coming from the meter 


- intro: Bit Inversion (see highlighted hex) 



0x6145 — new developments 


• vendors filed numerous patents with hopping pattern 
calculations, communications parameters, etc... 

- WIN! 

- plenty of work to be done! jump right in! 

• http://www.patentstorm.us/patents/7064679/fulltext.html 

• http://www.patentstorm.us/patents/7962101/fulltext.html 

• http://www.patentstorm.us/applications/20080204272/fulltext.html 

• http://www.patentstorm.us/applications/20080238716/fulltext.html 



Abuse is no argument’ 
- Nevil Maskelyne 



0x6150 - conclusions 


• rfcat discover mode roxors 

• rfcat is a foundation for your attack tool 

- way more than just a tool in itself 

• are responsible for ensuring our devices use 
appropriate security, do not simply expect someone else 
to do it. the first med-device death could be your best 
friend. 
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• power hardware folk who play nice with security researchers 

• cutaway and q (awesome hedyattackers) 

• gerard van den bosch 

• travis and mossman 
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• Jewel, bug, ringwraith, diva 

• Jesus Christ 



OxEl — workshop ej 1 — getting started 


$ tar zxf rfcat-blackhat2012.tgz 

$ cd rfcat-blackhat2012 

$ sudo python setup.py install (trust me!) 


$ rfcat -r 


atlas@blah:~/hacking/Hardware/rfcat$ rfcat -r 
'RfCat, the greatest thing since Frequency Hopping! r 

Don't you wish this were a CLI! ? Sorry. Maybe soon... 

For now, enjoy the raw power of rflib, or write your own device-specific CLI! 

currently your environment has an object called "d" for dongle, this is how 
you interact with the rfcat dongle, for : 

>>> d.pingf) 

»> d.setFreq(433000000) 

»> d.setMdmModulation[MOD_ASK_OOK) 

»> d.makePktFLEN(25Q) 

>» d.RFxmit( ,r HALLO M ) 

>>> d.RFrecvf) 

>>> print d.reprRadioConfig[) 

It n rn- I 




0xE2 — workshop ej 2 — listen to teacher 


$ rfcat -r 

»> d.setMdmModulation(MOD_ASK_OOK) 

»> d.setMaxPower() 

»> d.setMdmDRate(9600) 

»> d.makePktVLEN() # variable length packet 

»> d.RFIisten() 



0xE3 — heartfelt communication 


• pick a friend (or set of friends) 

• agree on who will xmit and who will recv 

$ rfcat -r # common (xmit/recv) 

»> d.setMdmModulation(MOD_GFSK) 
»> d.makePktFLEN(20) 

»> d.setFreq( 915200000 ) 

— recver — 

»> d.RFIisten() 

— xmitter — 

»> d.RFxmit(“hello my name is <name>”) 

• what happened? 



0xE3.5 — your closer friends... 


• two problems: length and sync word! 

• both xmitter and recver (not necessarily at once): 

- increase the packet length 
»> d.makePktFLEN(35) 

- now agree upon a 16-bit sync word (0 - Oxffff) 
»> d.setMdmSyncWord(<syncword>) 

- now try again 

- then reverse roles 

- now learn the power of the dark side! 

»> d.discover() 

»> d.discover(ldentSyncWord=True) 

»> help(d) #ahhhhhhhh. 




0xE4 - mismatching 


• xmitter and recver pick the same config (last ej) 

• select random quiet frequency (same as each other) 

• xmitter change something and transmit, talk to recver (use 
your mouth) to discuss results) 

»> d.setMdmModulation(MOD_*) 

(MOD_ASK_OOK, MOD_GFSK, MOD_2FSK, MOD_MSK) 
»> d.setMdmDRate (baud) 

»> d.setMdmDeviatn(<deviation_number>) 

»> d.makePktFLEN() and d.makePktVLENQ # vary len too! 


»> 



0xE5 — lowball, discovery, and scanning 

• enter lowball mode (which stores config) 

»> d.lowball() # (SYNCM_CARRIER) 

»> print d.reprClientState() 

»> d.lowballRestore() # restore the config 
»> d.RFrecv() # and again, until you receive a timeout error 

• now use lowball level 0: 

»> d.lowball(O) # dumps all sorts of crap (SYNCM_NONE) 
»> print d.reprRadioConfig() 

»> d.lowballRestore() # restores original config 
»> d.RFrecv() # grab raw packet 

»> d.recvAII(APP_NIC, NIC_RECV) # dump all buffered pkts 



0xE5.1 — discover mode 


• now use discover() 

»> d.discover() # press <enter> to leave discover mode 
»> d.discover(lowball=0) # what do you see? 

»> d.discover(ldentSyncWord=True) # what's that?! 

»> d.discover(SyncWordMatchList=[0x0c4e, 0xf432]) 



0xE5.2 — looking for trouble (kick in a door) 


• frequency scanning (based on lowball) 

»> d.scan( basefreq, inc, count, delaysec, drate, lowball) 


»> d.scan(902e6, 250e3, 104, 2, 38400, 1) 


[1]: d.scan() 
Scanning range: 


Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 
Scanning for 


frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 

frequency 


902000000. 

902250000. 

902500000. 

902750000. 

903000000. 

903250000. 

903500000. 

903750000. 

904000000. 

904250000. 

904500000. 

904750000. 

905000000. 

905250000. 


Scanning for frequency 909500000... 

:Scanning for frequency 909750000... 

Scanning for frequency 910000000... 

Scanning for frequency 910250000... 

Scanning for frequency 910500000... 

Scanning for frequency 910750000... 

Scanning for frequency 911000000... 

Scanning for frequency 911250000... 

Scanning for frequency 911500000... 

Scanning for frequency 911750000... 

Scanning for frequency 912000000... 

(1342153528.208) Receiving: ee97bbb435b8b5a32624414f9fabc96f 1 f5430f456e1 ef87e M 
eb2db28113cafb7bf7c73f74e8889dadb3d5e3e11c8ddde9c676431ccdldlb792ed108677f76f bM 
(1342153528.261) Receiving: 62b4ecc96cced1e628498e31282f 732085a45ec3567f7f43ec| 
8ae16bf961975028ba0248aa7fbf99182b9cf6abf54ae209b4f3ed5918e6d74a5e827fdf 6ad70ebl 





0xE6 — car keyless entry 


configuring the dongle - Keyless Entry Fob 
• start RfCat 

- set Frequency to 315mhz 

- set Modulation to ASK_OOK 

- set SyncWord to FFFE and SyncMode to 

SYNCM_16_of_16 

- set Packet Length: 12 

- enable Manchester Encoding 

- play around with baud rates... end up at 4761.9 baud 

- d.RFIisten() 



0xE7 — genie! oh genie! 


configure the dongle / determine correct parameters: genie 
• start RfCat 

- set Frequency to 315mhz 

- set Modulation to ASK_OOK 

- set SyncWord to AAOO and SyncMode to 

SYNCM_16_of_16 

- set Packet Length: 30 

- play around with baud rates... end up at 5200 baud 

- d.RFlistenQ 



0xE8 — hop hop hopping along... 


»> d.getFHSSstate() 

• import friend, decide who will be Sync Master. 

• non-Master starts first: 

»> d.setFHSSstate(FHSS_STATE_DISCOVER) 

• now the Sync Master: 

»> d.setFHSSstate(FHSS_STATE_SYNCINGMASTER) 

• once sync'd: 

»> d.getMACdata() 

»> print d.reprMACdata() 



0xE8.1 — FHSS xmit and recv 

• now, one of you send (notice, different function) 
»> d.FHSSxmit('yo yo! wazgud!?') 

• and the other of you receive: 

»> d.RFrecv() # nothing special here 
»> d.RFlistenQ # same thing here 



